Your EMR is secure. Great! What about your computers & email accounts? As a practice owner using a cloud EMR or medical or dental practice management software, you might assume everything is secure. And that is true. It’s also false. Here’s what you need to know about IT security beyond a secure cloud EMR or practice software.
Cloud EMR Security Is a Shared Liability Between Software Developers and Practice Owners
The EMR protects the EMR. Each practice owner must protect their own devices and email accounts which connect to the EMR.
Patient data is still at risk if practice owners fail to apply cyber security across the board (everything outside the EMR software including servers, workstations, data backups, imaging folders etc).
If you read the fine print in your EMR software terms of service, you should find wording on shared responsibility for cloud security.
Your cloud providers have responsibilities to you, for protecting your data, but you also have responsibilities in protecting your data and the data of your clients. The ways in which you and your team apply (or fail to apply) best practices for PIPEDA and cyber security will be a big factor in whether you protect your business or end up with a breach or liable in the event of a patient claim.
IT Security For Practice Owners
It does not matter what cloud software or infrastructure you choose, you are responsible for securing your own space within that cloud environment and also securing all endpoints (computers) that will connect to your cloud services.
In other words, just because your practice uses a cloud service owned and maintained by another company does not mean you can take security for granted. Insufficient due diligence is one of the top reasons for security failures.
Cloud security concerns fall into two general classes:
1. Security dilemmas encountered by cloud providers (SaaS, PaaS, and IaaS providers)
2. Security dilemmas encountered by customers of cloud providers (organizations or enterprises that store data or host applications on the cloud)
While cloud providers must ensure the defense of their cloud infrastructure, customers must also:
• Understand relevant laws and regulations for compliance and risk management.
• Choose the right people to support technology.
• Use trusted software from reputable vendors.
• Use Identity Management to apply policies and conditional access rules across all devices connecting to practice data, and to bound all approved devices that are allowed to access practice data to the domain and deny all others from access.
• Continuously monitor endpoints (computers) for cyber threats, compliance and risk concerns.
• Continuously patch and update all endpoints to protect from vulnerability in software code exploited by would be attackers (daily or weekly).
• Use strong passwords enforced by policy on all devices accessing practice data.
• Not allow staff to share logins, passwords or email accounts.
• Use 2 factor authentication on all email accounts, enforced by policy on all accounts connected to practice domain.
• Have secure processes to revoke all access from staff when they leave the practice (secure offboarding).
• Consider enacting a no-file-download policy to local computers. Additionally, file editing should be done over the cloud, making it easier to control data security and manage files if and when an employee leaves the organization.
• Considering portability between databases.
• Maintain backup and disaster recovery frameworks for all patient data, including digital radiographs, as well as all practice email communications.
As you can see, there are many PIPEDA and cyber security requirements that fall outside the scope of just having a secure EMR.
The complexity of technology management paired with ever rising threats, especially against high target industries such as the medical industry, more practice owners are turning to outsourced IT security & infrastructure management.
Managing Security Outside The EMR
You have a lot of technology to manage outside your EMR, including but not limited to:
• Cloud or local servers
• Cloud or local computers
• Web and email domains
• Identity control systems
• Email accounts
• Any personal or mobile devices staff may use for practice email access
• File storage, downloading, forwarding etc
• WiFi & network switches, modems and routers and more
Each one is vulnerable to multiple security threats. Each one must be reasonably secured and managed by the practice owner. A Managed IT Services Provider (MSP) will manage all of the above for you, for less than the cost of hiring a dedicated IT employee.
Using best practices, Remote Monitoring & Management tools (RMM) and automation, your MSP will apply and maintain best practices that meet PIPEDA and other compliance requirements, and also reduce risk and liability.
IT Management Services Options
You can opt for basic endpoint management only, which offers good antivirus and automated software and computer patching to protect against many common threats. However, basic endpoint management does not include Identity Management, security polices across all devices, and many other best practices.
For full compliance, a fully managed environment is wise, which would include a domain controller, security policies, email security, data security, ransomware prevention and more.
Basic endpoint management is as little as $25-30 per computer, per month.
Fully compliant solutions vary based on the size and makeup of the network.
Factors that affect costs are how many servers there are, whether physical or cloud servers, how many computers there are to manage and provide antivirus and other tools for, how much data is being backed up and whether the data only is being backed up, or whether the entire infrastructure is included in the disaster recovery plan.
Base infrastructure management fees can range from $150-$450 per month, and each managed computer between $75-$99 per month. These fees include unlimited help desk support for your staff, as well as on site visits for any issue unresolved by remote means. In addition, some MSP’s offer preferred rates for any major IT projects you may need in future.
Without managed security in today’s world, everything you have built is at risk.
A small IT management fee each month offers security and support to keep your practice healthy and growing.
Schedule your free consultation now to discuss your IT management for everything outside your EMR.